fix(deck.gl): strip all JS-executed form_data keys when JavaScript controls are disabled

[rusackas]

SUMMARY

The deck.gl chart plugins execute several form_data fields as JavaScript at render time through the frontend sandboxedEval helper. To keep this behavior gated behind the ENABLE_JAVASCRIPT_CONTROLS feature flag (which defaults to off), the backend strips those keys from form_data in get_form_data when the flag is disabled.

The strip list (REJECTED_FORM_DATA_KEYS in superset/views/utils.py) only covered three of the keys:

["js_tooltip", "js_onclick_href", "js_data_mutator"]

However, the Geojson layer also evaluates two more fields via sandboxedEval:

• label_javascript_config_generator
• icon_javascript_config_generator

(see plugins/preset-chart-deckgl/src/layers/Geojson/Geojson.tsx and the legacy legacy-preset-chart-deckgl equivalent). Because these two were not in the strip list, they were retained in form_data and executed client-side even when ENABLE_JAVASCRIPT_CONTROLS is disabled — bypassing the intended gate for those fields.

This change:

• Adds the two missing keys to the strip list.
• Centralizes the full set of JS-executed keys in a named JS_CONTROL_FORM_DATA_KEYS constant, with a comment noting it must stay in sync with the sandboxedEval(fd.<key>) call sites in the deck.gl plugins.
• Adds unit tests asserting that every JS-executed key is rejected when the flag is off, which also guards against future call sites being added without updating the list.

No behavior change when ENABLE_JAVASCRIPT_CONTROLS is enabled.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — backend form_data handling.

TESTING INSTRUCTIONS

pytest tests/unit_tests/views/test_utils.py

• test_rejected_form_data_keys_cover_all_js_control_keys — every JS-executed key is in the strip list when the flag is off.
• test_get_form_data_strips_js_control_keys — get_form_data drops all of them and preserves non-JS keys.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

🤖 Generated with Claude Code

[bito-code-review]

Code Review Agent Run #498998

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: c7178f7..c7178f7

  • superset/views/utils.py
  • tests/unit_tests/views/test_utils.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.03%. Comparing base (8dcc7e7) to head (7761ab2).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #40602   +/-   ##
=======================================
  Coverage   64.03%   64.03%           
=======================================
  Files        2663     2663           
  Lines      143619   143620    +1     
  Branches    33030    33030           
=======================================
+ Hits        91973    91974    +1     
  Misses      50044    50044           
  Partials     1602     1602           

Flag	Coverage Δ
hive	39.67% <100.00%> (+<0.01%)	⬆️
mysql	58.39% <100.00%> (+<0.01%)	⬆️
postgres	58.46% <100.00%> (+<0.01%)	⬆️
presto	41.26% <100.00%> (+<0.01%)	⬆️
python	59.94% <100.00%> (+<0.01%)	⬆️
sqlite	58.09% <100.00%> (+<0.01%)	⬆️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	7761ab2
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a21ad4103a47200084a6421
😎 Deploy Preview	https://deploy-preview-40602--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

This PR fixes a feature-flag gating gap for deck.gl chart plugins by ensuring all form_data fields that are executed via sandboxedEval are stripped server-side when ENABLE_JAVASCRIPT_CONTROLS is disabled (the default), preventing unintended client-side execution.

Changes:

• Introduces JS_CONTROL_FORM_DATA_KEYS in superset/views/utils.py and uses it to populate REJECTED_FORM_DATA_KEYS when JavaScript controls are disabled.
• Expands the rejected/stripped key set to include Geojson layer’s label_javascript_config_generator and icon_javascript_config_generator.
• Adds unit tests verifying (a) the rejected list covers all JS-executed keys and (b) get_form_data strips them while preserving non-JS keys.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
superset/views/utils.py	Centralizes the set of JS-evaluated form_data keys and strips them when ENABLE_JAVASCRIPT_CONTROLS is off.
tests/unit_tests/views/test_utils.py	Adds regression tests to ensure all JS-executed keys are rejected/stripped under the default (disabled) feature flag.

[bito-code-review]

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it